__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy
it when __cil_fill_expr_helper() fails. This list is therefore leaked
when __cil_fill_expr() returns.
This occurs when secilc compiles the following policy:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(categoryset cats (not (range unknown)))
This bug has been found using gcc address sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libsepol/cil/src/cil_build_ast.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index f57bd21358d3..ee283b535147 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -2562,6 +2562,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
cil_list_init(&sub_expr, flavor);
rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr, depth);
if (rc != SEPOL_OK) {
+ cil_list_destroy(&sub_expr, CIL_TRUE);
goto exit;
}
cil_list_append(expr, CIL_LIST, sub_expr);
--
2.10.0
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
